An MFT parser is a tool that reads $MFT — the Master File Table at the root of every NTFS volume — and turns its 1,024-byte records into something a human or a downstream tool can use: CSV, JSON, a timeline, a searchable index. There are three projects that matter in practice. This post compares them honestly and tells you when each is the right choice.
MFTECmd (Eric Zimmerman)
MFTECmd is the de facto standard in incident response. It is a Windows-only .NET CLI, free to use, that parses $MFT, $Boot, $J (the $UsnJrnl:$J change journal), $SDS (the security descriptor stream from $Secure), and $LogFile. Output is CSV in the bodyfile-adjacent layout that Eric Zimmerman's other tools (Timeline Explorer, KAPE, RECmd) consume.
Use it when:
- You are on a Windows analysis workstation.
- You want a CSV you can open in Timeline Explorer and pivot through interactively.
- You are running KAPE — MFTECmd is the bundled parser for the
MFTtarget. - You need
$Jparsing in the same workflow.
Skip it when: you are on macOS or Linux without a .NET runtime, or you want to embed parsing in another program.
A companion GUI, MFT Explorer, browses $MFT interactively in a tree view. Most analysts use both: MFTECmd for batch parsing, MFT Explorer when they need to chase a specific record.
omerbenamram/mft (Rust crate + CLI)
The omerbenamram/mft crate is the parser library this site uses. It ships as both a Rust dependency (cargo add mft) and a standalone CLI (mft_dump). The CLI emits CSV or JSON; the library exposes the full record structure for programmatic use.
Use it when:
- You need to embed MFT parsing in a larger Rust pipeline, a server, or a WebAssembly target.
- You want JSON output for piping into
jq, OpenSearch, or a custom database. - You are on Linux or macOS and do not want to install .NET.
- You want the parser to be auditable — the code is small, idiomatic Rust, and the test corpus is in the repo.
Skip it when: you want a turnkey analyst experience with a GUI and bundled timeline tooling.
The crate is what's running, compiled to WebAssembly, behind the browser parser on the homepage.
Browser-based parsing (this site)
The parser on this site takes the omerbenamram/mft crate, compiles it to WebAssembly, and runs it in a Web Worker. You drop a $MFT file onto the page and the records appear in a paginated, searchable table. Nothing is uploaded; the binary stays in your browser's memory.
Use it when:
- You want a quick read of an
$MFTwithout installing anything. - Policy forbids sending evidence to a cloud service. WebAssembly parsing happens locally — you can verify by disconnecting your network before dropping the file.
- You need to share a triage view with a colleague who does not have a forensics toolchain installed.
- You are demonstrating or teaching NTFS structure and want an interactive sandbox.
Skip it when: you have a multi-gigabyte $MFT from a heavily-used server (the in-memory model scales linearly) or you need outputs that integrate with a wider Eric Zimmerman pipeline.
How they compare
| Feature | MFTECmd | omerbenamram/mft | Browser parser |
|---------|---------|------------------|----------------|
| Platform | Windows (.NET) | Linux / macOS / Windows / WebAssembly | Any modern browser |
| Install | One binary | cargo install or download | None |
| Output | CSV (Timeline Explorer schema) | CSV / JSON | Interactive table + CSV export |
| $UsnJrnl:$J | Yes | No (separate omerbenamram/usn crate) | Browser parser links to a $J view |
| $LogFile | Yes | No | No |
| Scriptable | CLI only | Library + CLI | No (UI-driven) |
| Privacy | Local | Local | Local (verified by network isolation) |
Picking one
For a routine IR engagement on a Windows workstation: MFTECmd. It is the path of least surprise and slots into KAPE and Timeline Explorer.
For a pipeline that ingests many disks, runs on Linux, or wants JSON: omerbenamram/mft. The CLI is fast and the library is the cleanest way to add MFT parsing to your own tool.
For a one-off triage, a hostile-network situation, a classroom, or a colleague without a forensics machine: the browser parser on this site.
The three are complementary. Most experienced examiners reach for whichever fits the moment rather than committing to one.